Earlier this week the US Department of Justice (DOJ) released a Deferred Prosecution Agreement (DPA) with the company Data Systems & Solutions (DS&S). I explored the factual allegations against DS&S and the highlights of the DPA in yesterday's post. Today I want to discuss the DS&S DPA in the context of the DOJ's evolution in thinking regarding what a company can do to protect itself under the Foreign Corrupt Practices Act (FCPA) when it purchases another entity or otherwise engages in mergers and acquisitions (M&A) work. In other words, forces the evolution of best practices.
Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton's proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18, the DOJ released the DS&S DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.
Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would "inherit" any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton's completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.
I. 08-02 Conditions
Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:
Within ten business days of the closing, Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.
a) Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.
b) Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.
c) Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.
d) Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.
Many lawyers were heard to exclaim, "What an order, we cannot go through with it." However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, "Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above... the Department does not presently intend to take any enforcement action against Halliburton."
II. Johnson & Johnson "Enhanced Compliance Obligations"
Attachment D of the J&J DPA, entitled "Enhanced Compliance Obligations", is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:
7. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J's control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by ... the Deferred Prosecution Agreement.
8. J&J will ensure that J&J's policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.
a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J's related policies and procedures; and
b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.
These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:
A. 18 Month - conduct a full FCPA audit of the acquired company.
B. 12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which "present corruption risk to J&J."
So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the "Acquisition" component of the J&J DPA should provide those who have made this claim with some relief.
In the DS&S DPA there are two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:
13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.
14. DS&S will ensure that DS&S's policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:
a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S's policies and procedures regarding anticorruption laws.
b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.
This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton's request for guidance and the J&J Enhanced Compliance Obligations incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S's FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.
FCPA M&A Box Score Summary
18 months to conduct full FCPA audit
As soon "as practicable"
Implement FCPA Compliance Program
Immediately upon closing
Training on FCPA Compliance Program
60 days to complete training for high risk employees, 90 days for all others
12 months to complete training
I believe that the DOJ does listen to the concerns of US companies about issues relating to FCPA enforcement, which is consistent with its duty to uphold that law. Last month we saw the issue of the Morgan Stanley declination in the context of the Garth Peterson FCPA prosecution. With the DS&S DPA, there is clearly more flexible language presented in the context of M&A work and potential liability for 'buying a FCPA claim.'
Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2012
For more information about LexisNexis products and solutions connect with us through our corporate site.